What I am looking for is a PowerCLI script to create a role within vCenter. I found this post, and I am wondering if it can be adapted to my needs. What I need specifically is a script to create a role with the following set of privileges:
System.Anonymous
System.View
System.Read
Global.SetCustomField
Datastore.AllocateSpace
Network.Assign
VirtualMachine.Inventory.Create
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.DeviceConnection
VirtualMachine.Interact.SetCDMedia
VirtualMachine.Interact.GuestControl
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.CPUCount
VirtualMachine.Config.Memory
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Config.Resource
VirtualMachine.Config.DiskExtend
Resource.AssignVMToPool
VApp.Import
StoragePod.Config
Can this be accomplished with a PowerCLI script?
You can get the root folder like this
Get-Folder -Name Datacenters
The rest of your script looks ok.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Would this be better for my needs?
$privs_for_role=@(
'System.Anonymous'
,
'System.View'
,
'System.Read'
)
New
-VIRole
-Name
custom_role1
-Privilege
(Get
-VIPrivilege
-id
$privs_for_role)
You will need to find the privileges you require (use Get-VIPrivilege) , then use the correct name of each privilege and create a new role (as the code you listed above).
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thank you for the reply LucD. I used the Get-VIPrivilege -PrivilegeItem command to output all of the available privileges, and will use that to create the script.
I am also looking at how to add the role. I would like to add it to top level "Datacenters" folder. Let me know how this looks:
$privs_for_role=@(
'System.Anonymous',
'System.View',
'System.Read')
New-VIRole-Name mycustomrole -Privilege(Get-VIPrivilege-id$privs_for_role)
$rootFolder = Get-Folder -NoRecursion
$myPermissions = New-VIPermission -Entity $rootFolder -Principal "domain\user" -Role mycustomrole -Propogate:$true
You can get the root folder like this
Get-Folder -Name Datacenters
The rest of your script looks ok.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Cool, thank you again LucD. I'll give it a shot and let you know how it goes.
Hey LucD, I am having a few issues with the script. When I use "Administrators" as the Principal, the script runs perfectly. The role is created and access is granted to the Administrators group. However, when I add a domain user and/or group as the Principal, the script fails. I see messages like:
New-VIPermission Could not find VIAccount with name "Domain\Group"
New VIPermission Value cannot be found for the mandatory parameter Principal
I am accessing vCenter with a domain account that has full privileges. Is there something else I need in the script? Thank you again.
I modified the script some, but am still unable to get my desired result. I have added:
$principal = Get-VIAccount -Domain "DOMAIN" -User "username"
$myPermissions = New-VIPermission -Entity $rootfolder -Principal $principal -Role mycustomrole -Propagate:$true
This DOES work for one particular username.However, when I run Get-VIAccount using the -Group -Id switches, it does NOT find my desired group. Am I heading in the right direction?
You did configure the ESXi server(s) to use Active Directory as the authentication service ?
Do a Get-VMHostAuthentication.
I do get my domain groups, see this example from my test environment
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thank you again for the reply LucD. I did verify that all our hosts are using AD for authentication. I ran the command you listed, and noticed the group listing stopped in the C's. I piped it out to a text file and this time it stops in the H's.
Now before I go any further, I want to say that we do have a very large AD environment. When I run the Get-VIAccount query, the ending groups (C and H) are both in the same OU. The group that I'm trying to add is a few OU's down, and the query looks like it's going by OU. To test, I renamed my group to AAA_TestGroup, which should be at the top of the A's. Unfortunately the group is not returned in the query.
I also checked the AD settings for vCenter, and verified the query limit is set to 5000. Are there just too many groups in my environment for this to work?
Can you get a result when you specify the name of the group ?
Get-VIAccount -Domain "DOMAIN" -Name TestGroup -Group
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
When I run this command:
Get-VIAccount -Domain "DOMAIN" -Group
I see multiple groups displayed. One of the groups is called "CDUSERS". So I run the following:
Get-VIAccount -Domain "DOMAIN" -Name CDUSERS -Group
I get an output saying:
Parameter set cannot be resolved using the specified name parameters.
Get-VIAccount <<<< -Domain "DOMAIN" -Name CDUSERS -Group
Since this was found with the initial domain group query, shouldn't this be found with -Name?
My bad, you can't have the Domain parameter and the Name parameter together, they are not in the same parameterset.
Try it like this
Get-VIAccount -Group -Name "DOMAIN\CDUSERS"
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
That worked! It successfully returned the CDUSERS group.
When I try the same thing with the group I need though (AAA_TestGroup), I don't get anything. Not even an error this time. Is my AD environment not going to allow me to specify a domain group for the Principal?
You can also use meta characters in there.
Does
Get-VIAccount -Group -Name "DOMAIN\AAA_*"
return anything ?
Is there perhaps a difference in the group's 'Pre Windows 2000' name and it's AD name ?
Can you perhaps show the properties of that group ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
The frustrations continue... Running the command with the meta characters still produces no output. I also verified that the Group name, and the Pre-Windows 2000 name's are identical.
As far as the properties of the group go, there is nothing special. It's a Domain Local Security group, with no members, and is not a member of any other group.
So, some groups work, other don't.
Is that correct ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
That's correct. It seems like groups in OU's closer to the root of the domain work. Groups lower (such as the one I need) do not.
And just an update.. I spoke with our App guys, and they are okay in using a local group on the vCenter server as the Principal. They plan on nesting their domain group within this local group to provide access.
At this point it's one of those things where I just want to know why it doesn't work!
Does this (old) workaround for a similar problem work ?
See The bug in New-VIPermission and how to deal with it.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Am I doing this right? I copied the script and saved it as CreateVIAccount.ps1. While connected to my vCenter server, I ran ". .\CreateVIAccount.ps1". It gives me a security warning, which I accept. Then I run:
$account = New-VIAccount "Domain\User"
Which outputs:
You cannot call a method on a null-valued expression.
CreateVIAccount.ps1
:9 char:26
+ $client = $method.Invoke <<<< ($global:DefaultVIServer, $null)
+ CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
New-Object : Constructor not found. Cannot find an appropriate constructor for
type VMware.VimAutomation.Client20.PermissionManagement.VCUserAccountImpl.
At CreateVIAccount.ps1
:11 char:14
+ (New-Object <<<< VMware.VimAutomation.Client20.PermissionManagement.
VCUserAccountImpl `
+ CategoryInfo : ObjectNotFound: (:) [New-Object], PSArgumentException
+ FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
Did you dot-source the .ps1 file ?
Otherwise the function defined in that .ps1 file is not known.
Do
. ./CreateVIAccount.ps
Yes, there is a blank between the 2 dots.
You can check that function is loaded by doing
Get-Command -Name New-VIAccount
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference